<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
 <head>
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <title>根据当前连接的字符集，对于 SQL 语句中的特殊字符进行转义</title>
<link media="all" rel="stylesheet" type="text/css" href="styles/03e73060321a0a848018724a6c83de7f-theme-base.css" />
<link media="all" rel="stylesheet" type="text/css" href="styles/03e73060321a0a848018724a6c83de7f-theme-medium.css" />

 </head>
 <body class="docs"><div class="navbar navbar-fixed-top">
  <div class="navbar-inner clearfix">
    <ul class="nav" style="width: 100%">
      <li style="float: left;"><a href="mysqli.real-connect.html">« mysqli::real_connect</a></li>
      <li style="float: right;"><a href="mysqli.real-query.html">mysqli::real_query »</a></li>
    </ul>
  </div>
</div>
<div id="breadcrumbs" class="clearfix">
  <ul class="breadcrumbs-container">
    <li><a href="index.html">PHP Manual</a></li>
    <li><a href="class.mysqli.html">MySQLi</a></li>
    <li>根据当前连接的字符集，对于 SQL 语句中的特殊字符进行转义</li>
  </ul>
</div>
<div id="layout">
  <div id="layout-content"><div id="mysqli.real-escape-string" class="refentry">
 <div class="refnamediv">
  <h1 class="refname">mysqli::real_escape_string</h1>
  <h1 class="refname">mysqli::escape_string</h1>
  <h1 class="refname">mysqli_real_escape_string</h1>
  <p class="verinfo">(PHP 5, PHP 7, PHP 8)</p><p class="refpurpose"><span class="refname">mysqli::real_escape_string</span> -- <span class="refname">mysqli::escape_string</span> -- <span class="refname">mysqli_real_escape_string</span> &mdash; <span class="dc-title">根据当前连接的字符集，对于 SQL 语句中的特殊字符进行转义</span></p>

 </div>

 <div class="refsect1 description" id="refsect1-mysqli.real-escape-string-description">
  <h3 class="title">说明</h3>
  <p class="para">面向对象风格</p>
  <div class="methodsynopsis dc-description">
   <span class="methodname"><a href="function.mysqli-escape-string.html" class="methodname">mysqli::escape_string</a></span>(<span class="methodparam"><span class="type">string</span> <code class="parameter">$escapestr</code></span>): <span class="type">string</span></div>

  <div class="methodsynopsis dc-description"><span class="methodname"><strong>mysqli::real_escape_string</strong></span>(<span class="methodparam"><span class="type">string</span> <code class="parameter">$escapestr</code></span>): <span class="type">string</span></div>

  <p class="para rdfs-comment">过程化风格</p>
  <div class="methodsynopsis dc-description"><span class="methodname"><strong>mysqli_real_escape_string</strong></span>(<span class="methodparam"><span class="type"><a href="class.mysqli.html" class="type mysqli">mysqli</a></span> <code class="parameter">$link</code></span>, <span class="methodparam"><span class="type">string</span> <code class="parameter">$escapestr</code></span>): <span class="type">string</span></div>

  <p class="para rdfs-comment">
   此函数用来对字符串中的特殊字符进行转义，
   以使得这个字符串是一个合法的 SQL 语句。
   传入的字符串会根据当前连接的字符集进行转义，得到一个编码后的合法的 SQL 语句。
  </p>
  <div class="caution"><strong class="caution">警告</strong>
   <h1 class="title">安全：默认字符集</h1>
   <p class="para">
    在调用 <span class="function"><strong>mysqli_real_escape_string()</strong></span> 
    函数之前，
    必须先通过调用 <span class="function"><a href="mysqli.set-charset.html" class="function">mysqli_set_charset()</a></span> 
    函数或者在 MySQL 服务器端设置字符集。
    更多信息请参考 <a href="mysqlinfo.concepts.charset.html" class="link">字符集</a>。
   </p>
  </div>
 </div>


 <div class="refsect1 parameters" id="refsect1-mysqli.real-escape-string-parameters">
  <h3 class="title">参数</h3>
  <p class="para">
   <dl>
    <dt>

<code class="parameter">mysql</code></dt>
<dd>
<p class="para">仅以过程化样式：由<span class="function"><a href="function.mysqli-connect.html" class="function">mysqli_connect()</a></span> 或 <span class="function"><a href="mysqli.init.html" class="function">mysqli_init()</a></span>
返回的 <span class="classname"><a href="class.mysqli.html" class="classname">mysqli</a></span> 对象。</p></dd>

    
     <dt>
<code class="parameter">escapestr</code></dt>

     <dd>

      <p class="para">
       需要进行转义的字符串。
      </p>
      <p class="para">
       会被进行转义的字符包括： <code class="literal">NUL （ASCII 0），\n，\r，\，&#039;，&quot; 和
       Control-Z</code>.
      </p>
     </dd>

    
   </dl>

  </p>
 </div>


 <div class="refsect1 returnvalues" id="refsect1-mysqli.real-escape-string-returnvalues">
  <h3 class="title">返回值</h3>
  <p class="para">
   转义后的字符串。
  </p>
 </div>

 
 <div class="refsect1 errors" id="refsect1-mysqli.real-escape-string-errors">
  <h3 class="title">错误／异常</h3>
  <p class="para">
   在无效的连接上调用此函数会返回
   <strong><code>null</code></strong> 并发出一个 <strong><code>E_WARNING</code></strong> 级别的错误。
  </p>
 </div>


 <div class="refsect1 examples" id="refsect1-mysqli.real-escape-string-examples">
  <h3 class="title">范例</h3>
  <div class="example" id="example-1473">
   <p><strong>示例 #1 <span class="methodname"><strong>mysqli::real_escape_string()</strong></span> 例程</strong></p>
   <div class="example-contents"><p>面向对象风格</p></div>
   <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br />$mysqli&nbsp;</span><span style="color: #007700">=&nbsp;new&nbsp;</span><span style="color: #0000BB">mysqli</span><span style="color: #007700">(</span><span style="color: #DD0000">"localhost"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"my_user"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"my_password"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"world"</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/*&nbsp;检查连接&nbsp;*/<br /></span><span style="color: #007700">if&nbsp;(</span><span style="color: #0000BB">mysqli_connect_errno</span><span style="color: #007700">())&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">printf</span><span style="color: #007700">(</span><span style="color: #DD0000">"Connect&nbsp;failed:&nbsp;%s\n"</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">mysqli_connect_error</span><span style="color: #007700">());<br />&nbsp;&nbsp;&nbsp;&nbsp;exit();<br />}<br /><br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"CREATE&nbsp;TEMPORARY&nbsp;TABLE&nbsp;myCity&nbsp;LIKE&nbsp;City"</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">$city&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">"'s&nbsp;Hertogenbosch"</span><span style="color: #007700">;<br /><br /></span><span style="color: #FF8000">/*&nbsp;由于未对&nbsp;$city&nbsp;进行转义，此次查询会失败&nbsp;*/<br /></span><span style="color: #007700">if&nbsp;(!</span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"INSERT&nbsp;into&nbsp;myCity&nbsp;(Name)&nbsp;VALUES&nbsp;('</span><span style="color: #0000BB">$city</span><span style="color: #DD0000">')"</span><span style="color: #007700">))&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">printf</span><span style="color: #007700">(</span><span style="color: #DD0000">"Error:&nbsp;%s\n"</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">sqlstate</span><span style="color: #007700">);<br />}<br /><br /></span><span style="color: #0000BB">$city&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">real_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$city</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/*&nbsp;对&nbsp;$city&nbsp;进行转义之后，查询可以正常执行&nbsp;*/<br /></span><span style="color: #007700">if&nbsp;(</span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"INSERT&nbsp;into&nbsp;myCity&nbsp;(Name)&nbsp;VALUES&nbsp;('</span><span style="color: #0000BB">$city</span><span style="color: #DD0000">')"</span><span style="color: #007700">))&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">printf</span><span style="color: #007700">(</span><span style="color: #DD0000">"%d&nbsp;Row&nbsp;inserted.\n"</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">affected_rows</span><span style="color: #007700">);<br />}<br /><br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">close</span><span style="color: #007700">();<br /></span><span style="color: #0000BB">?&gt;</span>
</span>
</code></div>
   </div>

   <div class="example-contents"><p>过程化风格</p></div>
   <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br />$link&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">mysqli_connect</span><span style="color: #007700">(</span><span style="color: #DD0000">"localhost"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"my_user"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"my_password"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"world"</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/*&nbsp;检查连接&nbsp;*/<br /></span><span style="color: #007700">if&nbsp;(</span><span style="color: #0000BB">mysqli_connect_errno</span><span style="color: #007700">())&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">printf</span><span style="color: #007700">(</span><span style="color: #DD0000">"Connect&nbsp;failed:&nbsp;%s\n"</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">mysqli_connect_error</span><span style="color: #007700">());<br />&nbsp;&nbsp;&nbsp;&nbsp;exit();<br />}<br /><br /></span><span style="color: #0000BB">mysqli_query</span><span style="color: #007700">(</span><span style="color: #0000BB">$link</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"CREATE&nbsp;TEMPORARY&nbsp;TABLE&nbsp;myCity&nbsp;LIKE&nbsp;City"</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">$city&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">"'s&nbsp;Hertogenbosch"</span><span style="color: #007700">;<br /><br /></span><span style="color: #FF8000">/*&nbsp;由于未对&nbsp;$city&nbsp;进行转义，此次查询会失败&nbsp;*/<br /></span><span style="color: #007700">if&nbsp;(!</span><span style="color: #0000BB">mysqli_query</span><span style="color: #007700">(</span><span style="color: #0000BB">$link</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"INSERT&nbsp;into&nbsp;myCity&nbsp;(Name)&nbsp;VALUES&nbsp;('</span><span style="color: #0000BB">$city</span><span style="color: #DD0000">')"</span><span style="color: #007700">))&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">printf</span><span style="color: #007700">(</span><span style="color: #DD0000">"Error:&nbsp;%s\n"</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">mysqli_sqlstate</span><span style="color: #007700">(</span><span style="color: #0000BB">$link</span><span style="color: #007700">));<br />}<br /><br /></span><span style="color: #0000BB">$city&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">mysqli_real_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$link</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$city</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/*&nbsp;对&nbsp;$city&nbsp;进行转义之后，查询可以正常执行&nbsp;*/<br /></span><span style="color: #007700">if&nbsp;(</span><span style="color: #0000BB">mysqli_query</span><span style="color: #007700">(</span><span style="color: #0000BB">$link</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"INSERT&nbsp;into&nbsp;myCity&nbsp;(Name)&nbsp;VALUES&nbsp;('</span><span style="color: #0000BB">$city</span><span style="color: #DD0000">')"</span><span style="color: #007700">))&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">printf</span><span style="color: #007700">(</span><span style="color: #DD0000">"%d&nbsp;Row&nbsp;inserted.\n"</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">mysqli_affected_rows</span><span style="color: #007700">(</span><span style="color: #0000BB">$link</span><span style="color: #007700">));<br />}<br /><br /></span><span style="color: #0000BB">mysqli_close</span><span style="color: #007700">(</span><span style="color: #0000BB">$link</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?&gt;</span>
</span>
</code></div>
   </div>

   <div class="example-contents"><p>以上例程会输出：</p></div>
   <div class="example-contents screen">
<div class="cdata"><pre>
Error: 42000
1 Row inserted.
</pre></div>
   </div>
  </div>
 </div>


 <div class="refsect1 notes" id="refsect1-mysqli.real-escape-string-notes">
  <h3 class="title">注释</h3>
  <blockquote class="note"><p><strong class="note">注意</strong>: 
   <p class="para">
    如果你之前都是使用 <span class="function"><a href="function.mysql-real-escape-string.html" class="function">mysql_real_escape_string()</a></span> 函数来转义 SQL 语句的，
    那么需要注意的是 <span class="function"><strong>mysqli_real_escape_string()</strong></span> 和
    <span class="function"><a href="function.mysql-real-escape-string.html" class="function">mysql_real_escape_string()</a></span> 两个函数的参数顺序不同。
    <span class="function"><strong>mysqli_real_escape_string()</strong></span> 中，
    <code class="parameter">link</code> 是第一个参数，
    而在 <span class="function"><a href="function.mysql-real-escape-string.html" class="function">mysql_real_escape_string()</a></span> 函数中，要转义的字符串是第一个参数。
   </p>
  </p></blockquote>
 </div>


 <div class="refsect1 seealso" id="refsect1-mysqli.real-escape-string-seealso">
  <h3 class="title">参见</h3>
  <p class="para">
   <ul class="simplelist">
    <li class="member"><span class="function"><a href="mysqli.set-charset.html" class="function" rel="rdfs-seeAlso">mysqli_set_charset()</a> - 设置默认字符编码</span></li>
    <li class="member"><span class="function"><a href="mysqli.character-set-name.html" class="function" rel="rdfs-seeAlso">mysqli_character_set_name()</a> - 返回当前数据库连接的默认字符编码</span></li>
   </ul>
  </p>
 </div>


</div></div></div></body></html>